G0022: APT3
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.[1][2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[1][3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[4]
Analyst context for executives and security teams
APT3 is an ATT&CK intrusion set with multiple aliases and public reporting tying it to campaigns such as Operation Clandestine Fox, Clandestine Wolf, and Double Tap. For leaders, the value of this object is not the name alone: the related ATT&CK context points to a Windows-heavy intrusion pattern involving remote access tooling, credential theft, discovery, lateral movement, scheduled execution, and possible data exfiltration over command-and-control channels. That makes it useful for validating whether core enterprise controls can withstand a capable espionage-style operator rather than only commodity malware.
Executive priority
Use APT3 as a control-readiness and incident-planning scenario: can the organization detect credential access against LSASS, use of RDP/SMB for lateral movement, scheduled task persistence, PowerShell or cmd execution, internal discovery, and outbound exfiltration-like traffic? The external reporting also references historical Flash zero-day/CVE-focused activity, so vulnerability leaders should ensure legacy client-side software exposure and emergency patch processes are measurable. For compliance and board reporting, this group is a good test case for proving endpoint, identity, network, and IR evidence is retained and usable during an investigation.
Technical view
ATT&CK does not provide a group-level detection statement or explicit group platforms, but the relationships are strongly oriented around Windows behaviors and tools: PlugX, SHOTPUT, schtasks, OSInfo, RemoteCMD, LaZagne, LSASS memory access, RDP, SMB/admin shares, scheduled tasks, PowerShell, and Windows command shell. SOC and IR teams should validate detections across the behavior chain: execution through command interpreters, suspicious scheduled task creation or modification, credential access indicators involving LSASS or password recovery tooling, discovery commands for users/processes/network configuration/remote systems, lateral movement over RDP and SMB, and outbound traffic consistent with C2-based exfiltration. Treat aliases such as Gothic Panda, Pirpi, UPS Team, Buckeye, TG-0110, and Threat Group-0110 as intelligence correlation terms, not standalone detection logic.
Likely telemetry
- Endpoint process creation with command-line arguments, parent/child process context, and script execution details
- PowerShell logging where available, including script block/module activity and encoded or obfuscated command patterns
- Windows scheduled task creation, modification, execution, and schtasks.exe usage
- Windows authentication and logon telemetry for RDP, SMB, administrative shares, and lateral movement paths
- LSASS access events, credential dumping prevention/alert telemetry, and memory access indicators
Detection direction
- Prioritize behavior-based analytics over name matching because the group has many aliases and related tools include both custom and publicly available software.
- Correlate discovery followed by credential access and RDP/SMB activity; each event alone may resemble administration, but the sequence is higher value for detection engineering.
- Tune scheduled task detections for unusual creators, paths, command interpreters, remote creation, and tasks running from user-writable or unexpected locations.
- Validate PowerShell and cmd visibility; missing command-line and script telemetry is a major blind spot for the related execution techniques.
- Review false positives from legitimate administration tools such as schtasks, RDP, SMB, and remote command execution; detections should include user, host role, time, source, and change-ticket context where possible.
Mitigation priorities
- Reduce credential exposure first: enforce least privilege, protect administrative accounts, restrict credential reuse, and harden systems against LSASS credential theft.
- Constrain lateral movement paths by limiting RDP and SMB/admin share access to approved administrators, management hosts, and documented business needs.
- Harden execution surfaces by controlling PowerShell and command-shell abuse, monitoring script execution, and restricting untrusted binaries where feasible.
- Govern scheduled tasks as a persistence and execution surface: baseline known tasks, alert on unusual creation or modification, and review remote task creation permissions.
- Maintain endpoint and network visibility sufficient for IR reconstruction, including process, authentication, scheduled task, and egress logs with adequate retention.
Analyst notes and limits
The supplied ATT&CK object identifies APT3 as a China-based group that researchers have attributed to China’s Ministry of State Security and lists historical campaigns and aliases. The most actionable defensive context comes from the relationships to software and techniques, especially Windows-oriented tooling and behaviors. This take intentionally treats APT3 as a defensive emulation and readiness scenario rather than asserting current activity or exposure.
No official detection text, group-level tactics, or group-level platforms were supplied. Platform and tactic guidance is inferred only from related ATT&CK techniques and software, not from explicit APT3 object fields. Local telemetry, asset inventory, identity architecture, and approved administrative practices are required to decide what is suspicious in a specific environment.
APT3
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.[1][2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[1][3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1104 | Multi-Stage Channels | |
| Enterprise | T1110.002 | Password Cracking Sub-technique | APT3 has been known to brute force password hashes to be able to leverage plain text credentials.CitationAPT3 Adversary Emulation Plan |
| Enterprise | T1564.003 | Hidden Window Sub-technique | APT3 has been known to use |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1049 | System Network Connections Discovery | |
| Enterprise | T1090.002 | External Proxy Sub-technique | |
| Enterprise | T1218.011 | Rundll32 Sub-technique | APT3 has a tool that can run DLLs.CitationFireEye Clandestine Fox |
| Enterprise | T1027 | Obfuscated Files or Information | |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | |
| Enterprise | T1098.007 | Additional Local or Domain Groups Sub-technique | APT3 has been known to add created accounts to local admin groups to maintain elevated access.Citationaptsim |
| Enterprise | T1204.001 | Malicious Link Sub-technique | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | APT3 has a tool that exfiltrates data over the C2 channel.CitationFireEye Clandestine Fox |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | APT3 has been known to stage files for exfiltration in a single location.Citationaptsim |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | |
| Enterprise | T1005 | Data from Local System | APT3 will identify Microsoft Office documents on the victim's computer.Citationaptsim |
| Enterprise | T1203 | Exploitation for Client Execution | |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | |
| Enterprise | T1574.001 | DLL Sub-technique | APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.CitationFireEye Clandestine FoxCitationFireEye Clandestine Fox Part 2 |
| Enterprise | T1087.001 | Local Account Sub-technique | |
| Enterprise | T1070.004 | File Deletion Sub-technique | APT3 has a tool that can delete files.CitationFireEye Clandestine Fox |
| Enterprise | T1083 | File and Directory Discovery | APT3 has a tool that looks for files and directories on the local file system.CitationFireEye Clandestine FoxCitationevolution of pirpi |
| Enterprise | T1546.008 | Accessibility Features Sub-technique | APT3 replaces the Sticky Keys binary |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | APT3 has used tools to compress data before exfilling it.Citationaptsim |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1543.003 | Windows Service Sub-technique | |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | |
| Enterprise | T1057 | Process Discovery | APT3 has a tool that can list out currently running processes.CitationFireEye Clandestine FoxCitationevolution of pirpi |
| Enterprise | T1095 | Non-Application Layer Protocol | |
| Enterprise | T1069 | Permission Groups Discovery | |
| Enterprise | T1018 | Remote System Discovery | |
| Enterprise | T1056.001 | Keylogging Sub-technique | |
| Enterprise | T1036.010 | Masquerade Account Name Sub-technique | APT3 has been known to create or enable accounts, such as |
| Enterprise | T1027.002 | Software Packing Sub-technique | |
| Enterprise | T1136.001 | Local Account Sub-technique | APT3 has been known to create or enable accounts, such as |
| Enterprise | T1105 | Ingress Tool Transfer | APT3 has a tool that can copy files to remote machines.CitationFireEye Clandestine Fox |
| Enterprise | T1033 | System Owner/User Discovery | |
| Enterprise | T1027.005 | Indicator Removal from Tools Sub-technique | APT3 has been known to remove indicators of compromise from tools.CitationAPT3 Adversary Emulation Plan |
Groups, software, and campaigns
S0165: OSInfo
S0111: schtasks
S0013: PlugX
S0349: LaZagne
S0063: SHOTPUT
S0166: RemoteCMD
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | ec7ee360150a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye Clandestine Wolf
Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
Open source URL -
[2]
Recorded Future APT3 May 2017
Insikt Group (Recorded Future). (2017, May 17). Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3. Retrieved September 16, 2024.
Open source URL -
[3]
FireEye Operation Double Tap
Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
Open source URL -
[4]
Symantec Buckeye
Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
Open source URL -
[5]
APT3
(Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)
-
[6]
Buckeye
(Citation: Symantec Buckeye)
-
[7]
Gothic Panda
(Citation: PWC Pirpi Scanbox) (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)
-
[8]
PWC Pirpi Scanbox
Lancaster, T. (2015, July 25). A tale of Pirpi, Scanbox & CVE-2015-3113. Retrieved March 30, 2016.
Open source URL -
[9]
Pirpi
(Citation: PWC Pirpi Scanbox)
-
[10]
TG-0110
(Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)
-
[11]
Threat Group-0110
(Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)
-
[12]
UPS Team
(Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)
-
[13]
mitre-attack G0022Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.